How to turn your Raspberry Pi into a secure VPN router

Write your password on a piece of paper and stick it to your forehead? Probably no. However, connecting to a public Wi-Fi network is almost as stupid.

However, you may not have a choice if you are on the road and want to stay connected. A VPN can protect you, but each device must connect separately unless you’re using an intermediate router.

Not to have on hand? Don’t worry, you can build one with a Raspberry Pi. This is the perfect choice for a DIY router, so let’s take a look at how to build one.

What you need

To get started building your Raspberry Pi VPN Travel Router, you will need:

Raspberry Pi (Pi 3 or Raspberry Pi Zero W preferred) with case
One USB Wi-Fi adapter (two if you’re using an older Raspberry Pi)
microSD card with at least 8 GB of storage
SD card reader
Quality power supply
PC with SSH client installed
VPN subscription with OpenVPN support

It is possible to use Pi models without built-in Wi-Fi, but you will need two USB Wi-Fi adapters or one capable of both managed/access point and client mode.

Instead of a standard Linux distribution, you need to install OpenWRT on an SD card to turn it into a full router. You can use a different Linux distribution if you like, but OpenWRT provides a handy web interface to set up when you’re away from home.

If you’re using Windows, you’ll also need to install PuTTY or another SSH client for Windows before starting work.

Step 1: Install OpenWRT

Etcher SD Screen Flashing Tool

First, download the OpenWRT firmware for your Raspberry Pi model. You can find the latest images on the OpenWRT wiki.

Unzip the downloaded file with 7zip or other suitable file zip manager, then transfer the IMG file to the card using Etcher .

This tool should automatically detect your SD card; you just need to select the image file, select the correct drive letter by letter, and then click flash.

After that, place the microSD card back into the Raspberry Pi and let it boot up.

Step 2: Initial setup

By default, OpenWRT uses a static IP address by default 192.168.1.1 which is the default gateway IP address for many routers. You will need to change this to prevent conflicts. Connect your Pi to your computer with an Ethernet cable; you may need to set a static IP address on your computer first.

Instead of handling the configuration using LuCI, the OpenWRT web interface, you will do it manually to make sure the configuration is set up correctly. Download PuTTY or your SSH client and first connect to 192.168.1.1 using username root.

You will receive an initial security warning the first time you connect; just click Yes and go on. It is recommended that you set a password at this point; Do this by typing passwd in the terminal window.

Configuring network and firewall settings

You need to edit two files − /etc/config/network and /etc/config/firewall before you can proceed. Start by typing the following to edit the file:

 vim /etc/config/network

Then press I to edit the text and add the following:

 config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'lan' option type 'bridge' option ifname 'eth0' option force_link '1' option proto 'static' option ipaddr '192.168.38.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wwan' option proto 'dhcp' option peerdns '0' option dns '8.8.8.8 8.8.4.4' ## Google DNS servers config interface 'vpnclient' option ifname 'tun0' option proto 'none'

Once you’re done, click Esc key and type :wq to save and exit. Then turn your attention to the firewall configuration file:

 vim /etc/config/firewall

Click I to edit, then find (or add) a zone for the WAN partition, which should look like this:

 config zone option name wan option network 'wan wan6 wwan' option input ACCEPT option output ACCEPT option forward REJECT option masq 1 option mtu_fix 1

Type of reboot and wait for the Raspberry Pi to reboot with the new IP address: 192.168.38.1 .

Step 3: Update and Install Packages

Next, you need to update OpenWRT. To do this, you’ll borrow the Pi’s internal Wi-Fi and initially set it up to connect to an existing Wi-Fi network. You may need to change the static IP address to 192.168.38.2 or similar address in this range to allow the connection.

Once connected, enter your Raspberry Pi’s IP address in your browser to access the OpenWRT admin panel. Use your username and password to gain access, then go to Network > Wireless . You should only see one Wi-Fi device at this time, so click » Scan», to find your Wi-Fi network and then connect to the network when you find her.

You will need to enter your Wi-Fi password under the password WPA phrase , before pressing » Send».

You should now see the connection settings for your Wi-Fi connection. Go to Additional settings and install your code of the country according to your location; Otherwise, your Wi-Fi may not work.

Reconnect to your Pi using the new IP address via SSH (accepting the RSA security key warning). First you need to update your device by typing:

 opkg update

Follow this by clicking Y, when prompted.

Installing USB Wi-Fi Drivers

After installing all the updates, install all the necessary drivers for the USB Wi-Fi adapter. This is required to connect to Wi-Fi hotspots when you are on the go. You will also install the tools needed to make VPN connections using OpenVPN, as well as nano an easier-to-use terminal file editor.

This is where your method may differ; I had an RT2870 chipset wifi adapter so the following commands should also work:

 opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 usbutils openvpn-openssl luci-app-openvpn nano ifconfig wlan1 up reboot

If you don’t have the RT2870 chipset Wi-Fi adapter or are unsure, connect it to the Wi-Fi adapter and type the following into an SSH terminal:

 opkg install kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 usbutils lsusb

After the files are installed, you will see a list of connected devices. Find everything related to the wireless adapter and find the appropriate installation instructions for your device.

OpenWRT Putty terminal windows window

Step 4Set up a Wi-Fi hotspot

If a USB Wi-Fi adapter is connected, you can now set up both Wi-Fi connections. Go back to the LuCI control panel under » Wireless connection» and delete both network connections. Device radio0 is built-in Wi-Fi, and radio1 — USB Wi-Fi adapter.

Set up built-in Wi-Fi by clicking the » Add» . Make sure of the following:

Mode installed on Access point
ESSID set to the network name of your choice; default is OpenWRT
Net tuned to LAN
In chapter » Wireless Network Security» encryption installed on WPA2-PSK.
Key set to a suitable password

Once you’re done, click Save, then return to the menu Wireless . Follow the instructions given earlier for the initial connection to set up the device radio1 (your USB Wi-Fi adapter) on an existing network. Here you should also scan and change networks when you are in a new location.

OpenWRT LuCI Dashboard Wireless Menu

You should now have two Wi-Fi connections running, one as a hotspot for your Wi-Fi devices and the other as your device’s internet connection to your existing Wi-Fi network. Try connecting to your Pi at this point using your smartphone or laptop to make sure it works.

If it works, disconnect the Pi from the Ethernet connection to the PC.

Step 5: Connecting to the VPN and Final Changes

You will need an OpenVPN configuration file (OVPN) to connect your Pi to your chosen VPN provider and server. If you have one, download it to your Pi using an SCP client such as WinSCP where you can connect with your administrator username and password.

Rename the file to vpnclient.ovpn and upload it to the folder /etc/openvpn . Follow the instructions on the OpenWRT website to set up your Pi for VPN connections. The only small change will be in section 4 to configure the VPN client profile, where you will not need to use the initial tool cat to insert your file vpnclient.ovpn because it’s already there.

Once you complete this, your VPN connection should be activated automatically. Check if your outgoing IP address has changed; if it doesn’t, reboot your Pi and make sure your connection is active.

To find it, go to openvpn LuCI, which is listed under » Services» at the top of the control panel. If it’s connected, vpnclient will be displayed as Yes in a column Launched .